======================== weird.log and notice.log ======================== Zeek offers two logs for activities that seem out of the ordinary: :file:`weird.log` and :file:`notice.log`. There's a distinction between them: * :file:`weird.log` is various random stuff where analyzers ran into trouble understanding the traffic in terms of their protocols; basically whenever there's something unexpected at the protocol level, that's a weird (for a lack of anything better to do with it). That means that "weirds" are also essentially hardcoded by whoever wrote that analyzer. They can also be generated by scripts, but that's rarer. * :file:`notice.log` on the other hand are situations explicitly detected and reported by Zeek scripts as inspection-worthy. It's usually not protocol errors, but something semantically higher (like a self-signed cert). Notices are part of the script-level analysis and can be raised by Zeek packages as well. Weirds can often be ignored because of volume, but notices are much more interesting, they are the closest Zeek is coming to IDS alerts. For details on the fields, please refer to :zeek:see:`Weird::Info` and :zeek:see:`Notice::Info`. :file:`weird.log` ================= The best references on the contents of the weird.log appear in the briefings and writings by Fatema Bannat Wala, such as What Is Weird in Zeek, published 13 November 2019. https://zeek.org/2019/11/13/what-is-weird-in-zeek/ She spoke on the topic in 2018: https://www.youtube.com/watch?v=XeJcBBZjaVA She spoke on the topic in 2020 as well: https://www.youtube.com/watch?v=s4VSYwfHP0s For example, the following is a count of individual :file:`weird.log` entries over a 24 hour period on a home network:: 553 ["window_recision",false] 129 ["unknown_protocol",false] 1 ["truncated_IP",false] 5 ["TCP_seq_underflow_or_misorder",false] 4 ["TCP_ack_underflow_or_misorder",false] 2 ["SYN_seq_jump",false] 1 ["SYN_inside_connection",false] 1 ["SYN_after_close",false] 128 ["non_ip_packet_in_ethernet",false] 23 ["line_terminated_with_single_CR",false] 1 ["DNS_RR_unknown_type",false] 3 ["data_after_reset",false] 1 ["bad_TCP_header_len",false] 21 ["bad_HTTP_request",false] 2 ["above_hole_data_without_any_acks",false] We will look at one of these entries below. :file:`notice.log` ================== The :file:`notice.log` does not have as much documentation as :file:`weird.log`. For an example of :file:`notice.log` entries over a 24 hour period from a home network, consider the following:: 654 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (unable to get local issuer certificate)"] 48 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate in certificate chain)"] 13 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate)"] We will look at one of these entries below. Investigating a :file:`weird.log` and :file:`notice.log` Entry ============================================================== Taking a look at two entries in the :file:`weird.log`, we see they reference the same connection: .. literal-emph:: { "ts": "2021-01-04T04:59:21.582639Z", "uid": "**CxdbSa2KGTlMl3PPB2**", "id.orig_h": "192.168.4.129", "id.orig_p": 51020, "id.resp_h": "40.71.25.43", "id.resp_p": 8080, **"name": "bad_HTTP_request",** "notice": false, "peer": "so16-enp0s8-1" } { "ts": "2021-01-04T04:59:21.582639Z", "uid": "**CxdbSa2KGTlMl3PPB2**", "id.orig_h": "192.168.4.129", "id.orig_p": 51020, "id.resp_h": "40.71.25.43", "id.resp_p": 8080, **"name": "line_terminated_with_single_CR",** "notice": false, "peer": "so16-enp0s8-1" } We see a ``bad_HTTP_request`` and a ``line_terminated_with_single_CR``. We happen to also have an entry for this connection in the :file:`notice.log`: .. literal-emph:: { "ts": "2021-01-04T04:59:23.038713Z", "uid": "CxdbSa2KGTlMl3PPB2", "id.orig_h": "192.168.4.129", "id.orig_p": 51020, "id.resp_h": "40.71.25.43", "id.resp_p": 8080, "fuid": "FtEE2txjFBxLDbffi", "proto": "tcp", **"note": "SSL::Invalid_Server_Cert",** **"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",** "sub": "CN=*.cloudapp.net,OU=Smart Controller Development,O=GTO Access Systems\\, LLC,DC=smartcontroller,DC=local", "src": "192.168.4.129", "dst": "40.71.25.43", "p": 8080, "peer_descr": "so16-enp0s8-1", "actions": [ "Notice::ACTION_LOG" ], "suppress_for": 3600 } We see a ``SSL::Invalid_Server_Cert`` message here. This is truly an odd connection. It appears to involve an IoT device. There is no :file:`conn.log` entry for the activity, which could indicate it is a long-running connection that did not terminate during the period for which we have logs. Conclusion ========== The :file:`weird.log` and :file:`notice.log` files can be used for more than just odd behavior, but that is one of their main uses in current Zeek implementations. Analysts can find activity that may reveal something suspicious, malicious, or simply software/devices operating oddly.